Vulners
Lucene search
TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference Vulnerability
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2020-10231 | 1 Apr 202019:28 | ā | circl |
 | CVE-2020-10231 | 1 Apr 202013:57 | ā | cve |
 | CVE-2020-10231 | 1 Apr 202013:57 | ā | cvelist |
 | EUVD-2020-2689 | 7 Oct 202500:30 | ā | euvd |
 | CVE-2020-10231 | 1 Apr 202014:15 | ā | nvd |
 | CVE-2020-10231 | 1 Apr 202014:15 | ā | osv |
 | Null pointer dereference | 1 Apr 202014:15 | ā | prion |
Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference
Author: Pietro Oliva
CVE: CVE-2020-10231
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected version: NC200 <= 2.1.8 build 171109, NC210 <= 1.0.9 build 171214,
NC220 <= 1.3.0 build 180105, NC230 <= 1.3.0 build 171205,
NC250 <= 1.3.0 build 171205, NC260 <= 1.5.1 build 190805,
NC450 <= 1.5.0 build 181022
Description:
The issue is located in the httpLoginRpm method of the ipcamera binary (handler
method for /login.fcgi), where after successful login, there is no check for
NULL in the return value of httpGetEnv(environment, "HTTP_USER_AGENT"). Shortly
after that, there is a call to strstr(user_agent_string, "Firefox") and if a
User-Agent header is not specified by the client, httpGetEnv will return NULL,
and a NULL pointer dereference occurs when calling strstr, with consequent crash
of the ipcamera process.
Impact:
After the crash, the web interface on port 80 will not be available anymore.
Exploitation:
An attacker could exploit this issue by just sending a login request with valid
credentials (such as admin or limited user), but without an user-agent HTTP
header. Default credentials can be used to bypass the credentials requirement.
Evidence:
The disassembly of affected code from an NC200 camera is shown below:
0x0047dca0 lw a0, (user_arg)
0x0047dca4 lw a1, (password_arg)
0x0047dca8 lw t9, -sym.swUMMatchPassword(gp)
0x0047dcac nop
0x0047dcb0 jalr t9
0x0047dcb4 nop
0x0047dcb8 lw gp, (saved_gp)
0x0047dcbc sw v0, (auth_result)
0x0047dcc0 lw v0, (auth_result)
0x0047dcc4 nop
0x0047dcc8 bnez v0, 0x47de34
0x0047dccc nop
0x0047dcd0 sw zero, (arg_54h)
0x0047dcd4 lw a0, (environment)
0x0047dcd8 lw a1, -0x7fe4(gp)
0x0047dcdc nop
0x0047dce0 addiu a1, a1, -0x7cb0 ; "HTTP_USER_AGENT"
0x0047dce4 lw t9, -sym.httpGetEnv(gp)
0x0047dce8 nop
0x0047dcec jalr t9
0x0047dcf0 nop
0x0047dcf4 lw gp, (saved_gp)
0x0047dcf8 sw v0, (user_agent_ptr)
0x0047dcfc lw a0, (user_agent_ptr) ; <== This pointer could be NULL
0x0047dd00 lw a1, -0x7fe4(gp)
0x0047dd04 nop
0x0047dd08 addiu a1, a1, -0x7ca0 ; "Firefox"
0x0047dd0c lw t9, -sym.imp.strstr(gp)
0x0047dd10 nop
0x0047dd14 jalr t9
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Apr 2020 00:00Current
0.2Low risk
Vulners AI Score0.2
CVSS 25
CVSS 3.17.5
EPSS0.01402